The FUD Files: Microsoft’s Push Security “Problems”
I first came across an article condemning Windows Mobile’s “Security Problems” in its push mail implementation only earlier today. Because I have been writing about Direct Push over the last 2 weeks, I was naturally intrigued. Now, whilst I do rather like the current Direct Push implementation, I am no fan-boy either. I like Direct Push simply based on my personal evaluation and requirements.
If security problems have indeed been discovered in Direct Push, I certainly would want to learn about them – and sooner rather than later. An investigation was clearly in order. Because the original report from J. Gold Associates required paid access, I relied on whatever 3rd party reporting that I could find on this subject matter.
The Reports
By piercing together the various reports, we start to glean a much better picture of what is happening. It is apparent now that the source proclaiming “problems” in Direct Push started off with a research note written by an independent analyst in a consultancy firm servicing their paid client base.
A closer examination of an article from eWeek which featured generous quotes from the original research note reveals that the latter was a factual report by all intents. Though more vocal than strictly merits the case in its persuasion that Enterprises should be wary of adopting Direct Push due to its lack of on-device encryption, the contentions were adequately explained and qualified.
However, the situation deteriorated after the eWeek article by other publications who presumably worked off parts of the eWeek article.
| [25 Oct] J Gold Asssociate: Original Technology Brief for paid subscribers titled “Microsoft’s Direct Push Insecurity” [26 Oct] eWeek.com: “Researchers Criticize Security of Windows Mobile” [27 Oct] darkReading (CMP Media): “Microsoft’s Push Security Problems” [31 Oct] Techworld: “Analyst blasts Windows Mobile Security” Distributed via print media – Computerworld (Singapore): “Analyst blasts Windows Mobile Security” Community web-sites with strong readership – MobileMonday: “Gold blasts Win Mobile 5 security” Some other sites: |
Quotes
|
Analyst Jack Gold of J.Gold Associates has issued a report called “Microsoft’s Direct Push Insecurity,” which highlights possible security issues with the upgraded mobile messaging software. The potential flaws relate directly to the way the Excahnge SP2 email server update and latest version of Windows 5.0 transfer data.
The report states that the underlying “AirSync” code that is used to wirelessly update data between Exchange and the Pocket Outlook client can leave data on the device itself insecure. “The current version of ActiveSync (and AirSync) can only do a file synch of specifically formatted datasets that meet certain Microsoft data requirements,” says the report. “This means that any transfer of data, from Exchange Server to Pocket Outlook, for example, must be done in an unencrypted file state. |
| In a report published last week, analyst Jack Gold of J. Gold Associates said the way Microsoft Exchange and Windows Mobile 5 handle data transfer leaves sensitive corporate data inadequately protected. The software can only transfer unencrypted data to devices, and Windows Mobile doesn’t provide any encryption options on the device, Gold said in the report, called “Microsoft’s Direct Push Insecurity”. |
Analyzing the Claims
Now, I do not refute that Windows Mobile 5.0 does not feature on-board encryption. However, I feel that it is wrong to write off the whole issues as “Microsoft’s Push Security Problems” without understanding that even without encryption; a Windows Mobile device is still relatively secure except against the most determined hacker.
For a deployment used within an enterprise, consider the below dialog box under Security settings for a Direct Push device that is linked to an Exchange 2003 SP2 server.
From an administrator point of view, it is possible to enforce a minimum length password, set an inactivity timer as well as enforce a remote wipe of device NVRAM after certain number of failed login attempts. I would say that the above certainly ensures that a Windows Mobile 5.0 device is no push-over in terms of security.
For a hacker to access the data in a Windows Mobile device, he will need to be armed with tools to dismantle and read the NVRAM of your device directly. Of course, I must qualify that the above is only assuming that no other files of (security) value is stored on any external memory cards.
No related posts.
Recent Comments